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* FD-801 (Rev. 7-15-97) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 


Date: 11/17/2000 


To: Counterterrorism 


Attn: 


b7E 


From 


Squad, 11, I OS 


Approved 



Drafted By: I 


: lj s 


(206) 262-2438 


Case ID #: , /288A-SE-NEW9'$’/^ 


Title: Subject: 

Victim: 
Type: 
Date : 


HACKWEISER; 

SNONET; 

INTRUSION - WEB PAGE DEFACEMENT; 
09/24/00 


SUBMISSION: X Initial □ Supplemental □ Closed 


CASE OPENED: 11/17/00 


CASE CLOSED: 


b6 

b7C 


□ No action due to state/local prosecution (Name/Number ) 

□ USA declination 

□ Referred to Another Federal Agency (Name/Number: ) 

□ Placed in unaddressed work 

□ Closed administratively 

□ Conviction 


COORDINATION: FBI Field Office 

Government Agency 
Private Corporation 



VICTIM 


b6 

b7C 

b7D 


Company name/Govemment agency: SNONET. Contactf | 

Address/location: 917 134th Street SW. Suite B-3. Everett. WA b6 

b7C 

b7E 



To: 
Re : 




CounterterroHEsm From : 
288A-SE-NEW, 11/17/2000 


SAC, Seattle 



REMARKS 


On September 25, 2000 
134th Street Southwest, Suite B-3, 


date of birth[ 


werett, Washington, telephone number 


917 


contacted the complaint desk at the Federal Bureau of I nvestigatio n (FBI) Seattle, Washington, 

jsaid that the hacker(s) replaced 
On November 1 7, 2000, 

[ who 


and advised that his business' web site had been hacked 
web pages with inappropriate material (e.g., vulgar comments) 

Intelligence Operations Specialist (IOS 1 ~| telephonically contacted[ 

provided the following information: 


Jis the Manager of Technical Services for SnoNet, a company that provides 
web hosting for Western Washington non-profit organizations. In September 2000, four web 
sites hosted by SnoNet were defaced: the SnoNet.org site, the Cleveland High School Alumni 
Association site, Snohomish County Tourism's "Grandparents Stay Free" site, and the 
Washington Red Cross' site. The hacker(s) replaced material on the SnoNet h osted web sites 

I could not 


with profane messages. [_ 


]does not know the true identity of the hackers. 


recall the names or Pseudemys the hacker(s) used, but advised that mirrored pages were posted 
on Attrition's web site (www. attrition. or gT 


| |said the SnoNet web host runs Windows NT 4.0 as its operating system. 

| said that the hacker(s) broke into the SnoNet web host via vulnerability found in "mdac" 


consequently patched the mdac vulnerability. 


SnoNet does not utilize anti-virus software or firewalls on its web hosts. 


said 


he updates access control lists and runs a DMZ (Demilitarized Zone) host as a security 


b7E 


b6 

b7C 


b6 

b7C 


b6 

b7C 

b7E 


b6 

b7C 
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To: CounterterroSsm From: SAC, Seattle 

Re: 288A-SE-NEW, 11/17/2000 


precaution. Warning banners are not posted by SnoNet on their hosted sites. | |said he 

doesn't know why s omeone wo uld want to hack into a non-profit site, a medium that is in place 
only to help people. said he would provide the FBI logs documenting the intrusion. 

On November 17, 2000, and November 20, 2000, IOSl I 


be 

hlC 


he 

hlC 

b7E 


b7E 





Case ID: 288A-SE-85166 


1A Envelope 






F-V «■> (2-w. 3-7-! !) 


i5~ / ^ c- " Mi 

Universal Case File ?3u inker A — 5\ F-,~4-cQsrrr~) 


Field Office Acquiring Evidence _ 

v U-L-i wVL 

■ sv . • 

i CS^rCCA^./ 


Serial 0 of Originating Doc.. men! 

. 



Date Received ) 1 / 1~7 1 OO 

Prom j£)S 



1 \lO' v VMmrt .rL.V - ' 

r-^ , (Address of Contributor) 

«< j . Da QS-ini 


* ' - 

BV . lO^ 

; /n. 

ty and State) 


of Special Agent) 


To Be Returned □ Yes 0 No ' ~ 

Receipt Given □ Yes LJNo 

Grand Jury Material - Disseminate Only Pursuant to Rule 6 (8) 
Federal Rules of Criminal Procedure 
\ □ Yes □'No 

* Title: \ ' 

> - « ,1 „ ' 


b6 

b7C 


Reference: 


(Communication Enclosing Material) 


Description: Q'uriginalnotes re interview of 

^ll/o Oixi O v ^=£l ■); £1 £ 



b6 

b7C 



? 


K' 



KEEP ATTACHED TO 
SEATTLE EXHIBIT 

mA&rfclblrlfif | 

11/17/00: 


SNONET is a Technology company that does web hosting for non-profits WEstem Washington. 


snonet, recross@washington, clearwater 

school, and (no contact with the subject)..cleavand higschool alum,ni assoc, snohomish country 
tourism grandparentsstayfiree.com site. 

WinNT 4.0 IIS service. 

mdac sql statements, the mdac component, the Webserver interacts, he did somehtings via sql. 
patched. 

no ant-virus, does not have a real firewall but uses some access lists and a dmz host). 

Big hassle, should have updated any way, three hours to repair the damage, 
some banner warnings on the intranet not on the internet. 


ns the Magager of technical services. 


no identified logging information where the person connected from: but will send me his logs. 




^ /c ' 
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SEATTLE EXHIBIT 
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FD-71 (Rev. 3-27-95) 
* Complaint Form 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: 0 Negative 0 See below 


Subject's name and aliases 

UNSUB; 


Character of case 

Computer Intrusion; 


a 


Complainant 0 Protect Source 


Complaint received 




b6 

b7C 



0 Persptfal HI Telephonic Date 09/25/2000 Tim e 11 : 35 BX( \ 


Address of Subject 


Complainant's address and telephone number 

9x7 134th Street Southwest. Ste B-3 
[/Everett. WA. (425) 921-T471 


Complainant's DOB 
11/05/1964 


Sex 

Male 


o 

Race 

0 Male 

Height 

Hair 

Build 

Birth date and birth place 

11 

11 

Age 

0 Female 

Weight 

Eyes 

Complexion 

Social Security Number 


Scars, marks and other data 


Employer 


Address 


Telephone 


Vehicle Description 


Facts of Complaint 

C called Seattle FBI to report that the web site for his place of 
business, "SNONET" , a non-profit organization in Everett, Washington had 
been "hacked" into. C claims that four pages of about sixty have 
inappropriate material, i.e. vulgar comments, etcetera. 




Do not write in this space. 


aeg 

( 2 ) 
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SEARCHED, 

SERIALIZED^ 




INDEXED. 
FILED 


DEC 0 % 2000 

FBI SEATTLE 


(LOfflpfaint received by) 


BLOCK STAMP 


— 


49-luvO^, Fb 1 -?! 
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^noNjej/ 

{search 




Welcome 


Events 


917 -134th St. S.W. 
Suite B3 

Everett, WA 98204-9377 


Tel: 425.921.3473 
Fax: 425.921.3484 

SnoNet the 
Organization 

Who We Are 

HowTo Help 

Feedback 

Newslet ter 

Services 

Projects 

Sites Hosted 
On SnoNet 


A Connected Community is 
about Partnerships. Visit Our 
Featured Sites and Partners 
listed below as well as the 
other sites we host . Also check 
out Teens4teens the teen 
issues Web site, MATCHES 
our system for matching 
School-to-Work opportunities, 
and The Regional Skills Gap 
Consortium site. 

Featured Sites 



tafflSdiocIWQfk \ 


| [Hcmthy Communities U 




• I 

Splisfl 

m SERVICES 


WoRKSoura 


Closing ceremony 
ofYMCA 
Connections, a 

week-long retreat at 
Warm Beach that 
brings together 
teens & cops to 
discuss DUI, drug 
use, and violence, 
and create action 
plans for their 
community. 
Ceremony begins at 
10:30am and ends 
at noon on 
11/10/2000. Closing 
speaker is 

Lieutenant Governor 
Brad Owen. 


SnokomkhCawm 


fWWM 

! Association FOR 

comtuumty 
i Networking 


Thanks for coming to SnoNet, 
gateway to Snohomish County, 
Washington, where business, 
education, community services 
and local government are 
working together to create an 
interconnected community for 
the 21st century. If you would 
like more background info on 
SnoNet it is available in the 
organization section of the site, 
or read about the many 
services we provide to the 




SEARCHED 

SERIALIZED 


DEC 0 5 2000 


FBI SEATTLE 


http://snonet.org/ 


11/20/00 
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• • 

community. This is a 
community resource and will 
improve and meet the needs of 
the community if you a dd your 
voice . 

[Ex plore] [Work] [Live] [Learn] [Hel p] [Connect] 

[search] f calendar ! [what 's n ew! [contact us! [services] [support] 

Please check out 

our s ponsors! Please send us your links, events, or comments . 


http://snonet.org/ 


11/20/00 
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noNet - Who or what are we? 


Connect! Work (' Live |j Learn Help I Explore 


[seSrchl 


Who We Are 


SnoNet the 
Organization 

Who We Are 

• Sponsors 

• Contact Us 


SnoNet is based on a strong community partnership. 
SnoNet has a 120 person steering committee that 
helped develop the original vision for SnoNet. The 
steering committee now meets annually to review the 
progress of SnoNet. SnoNet has a 9 member board of 
directors that represent key partners in the region. The 
ten members of the SnoNet staff team serve to direct 
the pro jects of SnoNet and implement the workplan. 


• Mission/Historv 

How To Help 

Feedback 

Newsletter 

Servi ces 

Projects 



U.S. Secretary of 
Education Richard 
Riley & U.S. 
Senator Patty 
Murray get a 
briefing on 
SnoNet & 
SchoolWork by 
SnoNet & 
SchoolWork 


Initiative Board members. 


Board of Directors 


. Burnie Clark, President/CEO, KCTS-T V 

• Jack Corbally, Chairman, The MacArthur 
Foundation 

• Bob Drewel, County Executive, Snohomish 
County 

• Charlie Earl, President, Everett Community 
College 

• Larry Hanson, President and Publisher, T he 
Herald 

• Charlie Liekweg, President/CEO, AAA of 
Washington 

• Dr. Wayne Robertson, Superintendent, 
Edmonds School District 

• Brent Stewart, President, United Wav of 
S no horn i sh C o u nty 

• John Thoresen, President, Mu tual Ban cs hares 
Capital 


http://snonet.org/snonet/whoweare.html 
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[Home] [Explore] [Work] [Live] [Learn] [Help ] [Conne ct] 

[search] [calendar] [what's newl [contact usl [services] [su pport ] 

Please send us your links , events , or comments . 


Sponsored in part by: 
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J2NET - Web Building - Back End & Management - Server Insecurity 


CNET | News | Hardware ] Downloads | Builder j Games j Jobs | Auctions | Prices f 'lech Help 


Free Email 





CNET : Web Building : Back End & Site Management : Server Insecurity 


& 


7T7 \ ; . " V;* V: 

Server Insecurity 


By SaumiLiW9y.an-Sh.ah 
( 6 / 13 / 00 ) 


Back to intro 


Microsoft IIS MDAC RDS Vulnerability 

Servers affected: Windows NT servers running IIS 4.0 with MDAC version 2.1 or earlier 

About a month after the IIS eEve hack was discovered, another vulnerability in IIS 4.0 popped 
up. Using Microsoft Data Access Components (MDAC) and Remote Data Services (RDS), an 
attacker can establish unauthorized ODBC connections and gain access to internal files on 
the Web server. If either the Microsoft Jet OLE DB provider or the datashape provider is 
installed, an attacker can issue commands to be executed on the server using the Visual 
Basic for Applications she!l() function. 

The MDAC RDS vulnerability can be found in IIS 4.0 with MDAC version 2.1 or lower, in the 
\msadc\msadcs.dll file in the Web server public directory. Rain Forest Puppy includes the 
details of this hack on his site. The exploit makes use of improper configuration and lack of 
security mechanisms from the default installation of MDAC on IIS. In this attack, someone can 
remotely execute arbitrary commands on the NT system under the security privilege context of 
the IIS Web server process, which is equivalent to the NT Administrator. 

MDAC’s vulnerability lies not in the technology but rather in the way users configure it. Many 
sites install IIS 4.0 from NT Option Pack 4.0. If the NT Option Pack 4.0 is installed with the 
Typical or default configuration settings, MDAC is vulnerable to this attack. Most system 
administrators using the default setup had not hardened the Web server security by fine- 
tuning the settings. 



How do you keep 
abreast of security 
issues? 

In Builder Buzz 


ADVERTISEMENT 



V Also on CNET 


Hack-Proof Servers 
In Web Building 

Antihacker 
downloads 
In Downloads 

The Hacker’s Toolkit 
In Software 

Security Help Center 
In Help.com 


George Kurtz of Foundstone Inc. . Nitesh Dhanjani of Purdue University , and ! devised a one- 
line command string to be used with the MDAC RDS exploit that caused the remote NT 
system to initiate a file transfer over FTP or TFTP. Our command tells the server to download 
and execute Netcat from an outside system. Netcat will run the Windows command shell and 
establish a connection back to the attacker's computer, giving the attacker full administrative 
control of the remote NT system. 


More Resources 


Digital Battlefield 
From Foundstone 

Microsoft Security 

Advisor 

From Microsoft 


Microsoft has posted a security bulletin describing the procedure to secure IIS 4.0 against this 
vulnerability. 


Break in through ColdFusion 


Computer 
Emergency 
Response Team 
From Carnegie Mellon 
Software Engineering 
Institute 


D- 


-O 


Microsoft IIS ism. dll Buffer Overflow 
Microsoft IIS MDAC RDS Vulnerability 


Allaire ColdFusion 4.0 Vulnerabilities 
Sambar4.3 hello.bat 



Saumil Udayan Shah, principal consultant for FpuadSt0l\eJDP« provides information security consulting services to 
Foundstone clients. Shah specializes in ethical hacking and security architecture. He holds a designation as a Certified 


http://www.builder.com/Servers/SecurityFixes/ss02.html 
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Information Systems Security Professional (CISSP). 

£~ r ' : ■ ' \ Paann; ' . / esaaa; 


Hot Computer Books 50% OFF cover Advertisement 

Secrets & Lies : Digital Securit y • Li nux i n a Nut shell • Te lecos m 



Click Here! 




|CNET Services: Auctions ■ Check Latest Prices • Downloads • Enterprise Business * Find a Web Host • 
jFind an ISP ■ Free Newsletters ■ Gadgets • Games • Hardware • Help & How-Tos * Latest PCs ■ 
sMedia Productions - News • Publish Your Opinion ■ Search * Stock Quotes ■ Tech Jobs • Web Building • 
Services 


CNET Jobs ! Corrections \ How to Advertise ] Join CNET's Affiliate Program | Support 

Back toTop 


About CNET 

Join CNET. we’re hiring 


Copyright ©1 995-2000 CNET Networks, Inc. All rights reserved. Priyacyjsglioy. 
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All Products | Support | Search | 


JTechNet Home I Site Map I Events I Downloads I Personalize I W orldwide I A dvanced Search_J 
T Navigate UlndexH Search TechNet 1 


13 Navigate by 
Product 

El Technical 
Support 

B Top IT Topics 

Drivers 

E-Commerce 

Interoperability 

Intranet 

Networking & RAS 

Reliability 

Security 

Technology 

Solutions 

El Talk 

ei Training 

ei TechNet Columns 

El About TechNet 


Microsoft Security Program: Frequently Asked 
Questions: Microsoft Security Bulletin (MS99-025) 

What's this bulletin about? 

M i c ro so ft S ecu rity Bu 1 1 eti n MS.99-Q25 js a re-release of Microsjo ft .Security 
B u I l„eti which was originally issued on July 17, 1998, and 
discussed a vulnerability in the Microsoft® Data Access Components (MDAC). 
A visitor to a web site on which both Microsoft Internet Information Server 
(IIS) and certain versions of MDAC are installed could perform privileged 
actions on the system. IIS and MDAC 1.5 are installed by default as part of 
the Windows NT 4 Option Pack. 

Microsoft takes security seriously, and is providing this bulletin to remind 
customers about this vulnerability, to restate the threat, and encourage 
system administrators to evaluate their systems to determine if their systems 
have been correctly configured and updated to protect against this 
vulnerability. 


pg] Send this 
to a colle 

Printer-fr 
^ version 


Contact Mic 


> Developer What's the scope of the vulnerability? 


Questions or 
Comments ? 


This is a p ri yi I eg e .eley a ti o n attack. On a system with both IIS and MDAC 
installed, the vulnerability in MDAC could allow an otherwise unauthorized web 
user to perform privileged actions on the system, including: 


• Allowing an unauthorized user to execute shell commands on the IIS 
system as a privileged user. 

• On a muiti-homed Internet-connected IIS system, using MDAC to 
tunnel SQL and other ODBC data requests through the public 
connection to a private back-end network. 

• Allowing unauthorized access to secured, non-published files on the IIS 
system. 

Is this a new issue? 

No. It was previously discussed in M icrpsof t A.ec u ri ty_B. u 1 1 eti n M S 9 8 - 0 04, which 
documented the vulnerability in MDAC 1.5 and detailed steps that should be 
taken to eliminate the vulnerability. Customers who followed steps detailed in 
MS98-004 are not at risk from this vulnerability. 

If this is not a new issue, why is Microsoft re-releasing the 
security bulletin? 

There are three reasons: 


• Microsoft has recently learned that the vulnerability has been used to 
gain unauthorized access to Internet-connected systems that have not 
been updated per the instructions in MS98-0.0.4. 

• Unlike many vulnerabilities, this one is not eliminated simply by 
upgrading to a subsequent version. When upgrading, customers need 
to either perform a clean install or set a particular registry key to 
ensure that they are not vulnerable to the problem. 


http://www.microsoft.com/technet/security/bulletin/fq99-025.asp 
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• If a set of sample pages has been installed on a production server, it 
can introduce the vulnerability into an otherwise-secured server. 

The intent of re-releasing this bulletin is to serve as a reminder about this 
vulnerability, to restate the threat, and encourage system administrators to 
evaluate their systems to determine if their systems have been correctly 
configured and updated to protect against this vulnerability. 

I have a firewall that protects my web server, will it protect me 
from this vulnerability? 

In most cases, a simple packet-filtering firewall will not prevent exposure to 
this vulnerability. The RDS DataFactory object can be invoked by a web client 
issuing standard URL requests to an Internet Information Server over port 80 
(or any alternate port that you have configured IIS to listen to). 

Is this a vulnerability in IIS? 

No. The only reason that IIS is discussed with regard to this vulnerability is 
because IIS provides a means for a hostile user to remotely exploit the 
vulnerability. 

Where does the vulnerability lie? 

The vulnerability lies in the Microsoft Data Access Components (MDAC); 
specifically, in one component of the Remote Data Services in MDAC, the 
DataFactory object. 

MDAC provides key technologies that enable Universal Data Access. Data- 
driven client/server applications deployed over the Web or a LAN can use 
these components to easily integrate information from a variety of sources, 
both relational (SQL) and nonrelational. These components include Microsoft 
ActiveX® Data Objects (ADO), OLE DB, and Open Database Connectivity 
(ODBC). MDAC 1.5 ships with the Windows NT 4.0 Option Pack, and is 
installed during a default installation of the Option Pack. 

Remote Data Service (RDS) is a component of MDAC which is installed by 
default when installing the Microsoft Windows NT 4.0 Option Pack. The goal of 
the RDS component is to enable controlled Internet access to remote data 
resources through IIS. A component of RDS, called the DataFactory object, is 
where the vulnerability is. The DataFactory object is designed as a server-side 
Automation object that receives client requests. In an Internet 
implementation, it resides on a Web server and is instantiated by the ADISAPI 
component. The DataFactory object provides read and write access to 
specified data sources, but doesn't contain any validation or business rules 
logic. 

What versions of MDAC are affected? 

• MDAC 1.5 and 2.0 are affected by the vulnerability. 

• MDAC 2.1 is affected by the vulnerability when installed as an upgrade 
from a previous version. 

• Clean installations of MDAC 2.1 are only affected if Sample Pages for 
RDS have been installed. 

What are Sample Pages for RDS? 

These are samples provided as part of the Windows NT 4.0 Option Pack and 
the MDAC 2.0 Software Developers Kit (SDK). They are intended to help 
customers learn how to use the Remote Data Services, but are not intended to 


http://www.microsoft.com/technet/security/bulletin/fq99-025.asp 
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be deployed on production servers. The samples are not installed by default in 
the Option Pack, but are installed by default in the MDAC 2.0 SDK. 

What do I need to do? 

You need to do three things: 

1. Determine what version of MDAC you are running, then consult the 
instructions below to configure it for secure operation. 

2. Determine whether you need RDS functionality, then consult the 
instructions below to either disable it or configure it for secure 
operation. If you don't need it, the safest course of action is to disable 
it. 

3. Determine whether you installed the Sample Pages for RDS. If you did, 
you should remove them. 

How do I determine what version of MDAC I have installed? 

You can check the version numbers on specific .dll files associated with MDAC 
to determine the version installed on your system. The following table 
summarizes what file versions correspond to which MDAC versions. 


MDAC version 

Msdadc.dll 

Oledb32.dll 

Notes 

MDAC 1.5c 

1.50.3506.0 

N/A 


MDAC 2.0 

2.0.3002.4 

2.0.1706.0 


MDAC 2.0 SP1 

2.0.3002.23 

2.0.1706.0 


MDAC 2.0 SP2 

2.0.3002.23 

2.0.1706.0 

Superset: SP1 

MDAC 

2.1.0.3513.2 

(SQL) 

2.10.3513.0 

2.10.3513.0 


MDAC 

2.1.1.3711.6 
(Internet 
Explorer 5) 

2.10.3711.2 

2.10.3711.2 


MDAC 

2.1.1.3711.11 

(GA) 

2.10.3711.2 

2.10.3711.9 



Note these version numbers and compare them after an application 
installation to determine whether MDAC was upgraded. We also encourage 
you to view the MDAC Release Manifest for more information about MDAC 
versioning. 

I have MDAC 1.5 installed. What should I do? 

If you need RDS functionality, you’ll need to install MDAC 2.1, then follow the 
instructions below for securing your MDAC 2.1 installation. If you don't need 
RDS functionality, you should remove it by following the instructions below 
under "I don't need the RDS functionality . How do I remove it?". 

I have MDAC 2.0 installed. What should I do? 


http://www.microsoft.com/technet/security/bulletin/fq99-025.asp 
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You need to configure MDAC to operate in "safe mode". This provides RDS 
functionality but eliminates the vulnerability. "Safe mode" is governed by the 


Hive 

HKEY_LOCAL_MACHINE \SOFTWARE 

Key 

Microsoft\DataFactory\HandlerInfo\ 

Name 

HandlerRequired 

Type 

DWORD 

Value 

0="unsafe mode" 


l="safe mode" 


To make it easier to ensure that the server is configured in "safe mode", we 
provide a .REG file that when run on a system will set the appropriate registry 
key automatically. To use this .REG file, do the following: 


• The file is packaged as a self-extracting .zip file. Click here , then 
choose to either save or run the self-extracting file. 

• Run the seif-extracting .zip file to extract the file it contains, which is 
named HANDSAFE.REM. 

• When you are ready to make the registry changes, rename 
HANDSAFE.REM to HANDSAFE.REG. (We packaged the file with 
an .REM extension as a safety measure — .REG files automatically 
launch when double-clicked.) 

• Copy HANDSAFE.REG to each system that requires the registry change. 
Double Click HANDSAFE.REG to make the change. 

I installed MDAC 2.1 as an upgrade. What should I do? 

You need to configure MDAC to operate in "Safe Mode". See "I have MDAC 2.0 
installed. What should I do?" for instructions. 

I installed MDAC 2.1 as a clean installation. What should I do? 

Clean installations of MDAC 2.1 are already configured in "safe mode". 

I have MDAC 2.1 installed, but I don't know whether I did a clean 
install or an upgrade. What should 1 do? 

As long MDAC 2.1 is configured for "safe mode", it doesn't matter how it was 
installed. The important point is that clean installations of MDAC 2.1 default to 
"safe mode", and upgrades default to "unsafe mode". If you're not sure how 
you installed MDAC 2.1, it won't hurt to run HANDSAFE.REG, or to make the 
registry changes manually. 

I don't need RDS functionality. What should I do? 

Regardless of the version of MDAC you’re using, you can disable RDS 
functionality by doing the following: 

1. Delete the /msadc virtual directory from the default Web site 


http://www.microsoft.com/technet/security/bulletin/fq99-025.asp 
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Remove the following registry keys from the server hosting IIS: 

o HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services 
\W3SVC \Parameters \ADCLaunch \RDSServer.DataFactory 
o HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services 
\W3SVC \Parameters \ADCLaunch \AdvancedDataFactory 
o HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services 
\W3SVC \Parameters \ADCLaunch \VbBusObj.VbBusObjCls 

Actually, performing either of the above steps will disable RDS functionality. 
However, we've listed both steps for completeness. 

I do need RDS functionality. What should I do? 

The DataFactory object provides powerful capabilities that web developers can 
use to build applications which access a rich variety of data sources. Best 
practices for applications that use RDS functionality include: 

• Ensure that you have installed the latest version of MDAC on your 
system, and configured it to run in "safe mode". 

• Ensure that the Sample Pages for RDS are not installed. 

• If anonymous users should not be able to use RDS, disable Anonymous 
Access for the /msadc directory in the default Web site. 

• If you want to only allow specific database requests, you can create a 
custom handler to control or filter incoming requests. Information on 
how to do this is available at 

htt p : //www. microsoft.com/Data/ado/rds/custhand , htm 

I installed the Sample Pages for RDS. What should I do? 

The sample pages are not intended for use on production servers. In 
particular, the VbBusObj object, which is installed as part of the sample pages, 
provides an additional means of exploiting the same vulnerability. At 
minimum, you should ensure that the VbBusObj object is removed by doing 
the following: 


• Delete %systemdrive%\program files\common 
fiIes\system\msadc\samples\selector\middle_tier\vbbusobj\vbbusobj.dll 

• Remove the registry key 

HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/W3SVC/ 

Parameters/ADCLaunch/VbBusObj.VbBusObjCIs 

However, the best practice is to remove the samples altogether. To do this, 
delete the contents of %systemdrive%\program files\common 
files\system\msadc\samples and all subfolders. 

I don't know whether I installed the sample pages or not. What 
should I do? 

If the folder %systemdrive%\program files\common 
files\system\msadc\samples exists, the sample files are installed, and you 
should remove that folder and all subfolders. 

I installed the default installation of the Windows NT 4.0 Option 
Pack, am I affected? 

Yes. The default installation of the Windows NT 4.0 Option Pack installs 
Microsoft Internet Information Server 4.0 and Microsoft Data Access 
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Components 1.5, which is a vulnerable configuration. 

Can I install the Windows NT 4.0 Option Pack without installing 
MDAC 1.5? 

Yes. You can perform a custom installation of the Windows NT 4.0 Option 
Pack, and specify that the MDAC components should not be installed. 

I installed the Windows NT 4.0 Option Pack, and then installed 
Windows NT 4.0 Service Pack 4 or 5, am I still affected? 

Unless you have taken the steps indicated above (and in MS9 8^004) , your 
system is still vulnerable. Service Packs 4 and 5 do not automatically update 
the MDAC components, nor do they automatically disable the DataFactory 
object. 

Is there something I can watch for in the logs to help determine if 
someone is trying to use this vulnerabilty to gain access to my 
system? 

Since exploiting this vulnerability requires a standard HTTP "POST" to the 
MDAC DataFactory object, you might be able to detect that someone has 
attempted to use this vulnerability against your system by reviewing the IIS 
logs for "POST" entries to /msadc/msadcs.dil. 

Since the DataFactory object is a standard programmable interface, POST 
requests could be generated as part of the normal functioning of a custom- 
built web application. However, IIS does not use this functionality by default. 
So, unless you have built a custom application that uses the DataFactory 
object, a "POST /msadc/msadcs.dN" log entry indicates a good chance that 
someone has attempted to use this vulnerability against your system. 

However, it is important to realize that if someone has gained privileged 
access to your system by exploiting this vulnerability, it may be possible for 
them to alter the IIS data logs. 

I have some questions about installing MDAC 2.0 or 2.1, where 
can I find more information? 

Information about the Microsoft Data Access Components can be found on the 
Microsoft Universal Data Access web site at DQl£CPSQft^PArn/data- 

Questions specific to installing MDAC can be found on the MDAC Installation 
FAQ, htt p://www.microsoft.com/data/MDAC21info/MDACinstQ.htm . 

Where can I get the latest version of MDAC? 

You can download the latest versions of MDAC from the Microsoft Universal 
Data Access download site, http.://w\^ 

Where can I learn more about securing an Internet-based IIS 
server? 

A good resource for securing a system running Internet Information Server 
4.0 is the Microsoft Internet Information Server 4.0 Security Checklist, 
h tt p j //w w w . m i c r os o ft . co m/ 1 e cb 0 e,t/se c.u rj ty/i isjch k . a s p . 

Where can I learn more about best practices for my network? 

The Microsoft Security web site is the best to place to get information about 
Microsoft security. 
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How do I get technical support on this issue? 


Microsoft Data Access Components (MDAC) is a fully supported set of 
technologies. If you require technical assistance with this issue, please contact 
Microsoft Technical Support. Information on contacting Microsoft Technical 
Support is available at 


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS 
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING 
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS 
PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF 
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE 
FOREGOING LIMITATION MAY NOT APPLY. 
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© 2000 Microsoft Corporation. All rights reserved. Terms of use. 


http://www.microsoft.com/technet/security/bulletin/fq99-025.asp 


11 / 20/00 




Page 1 of 1 


CNET resources - info source - glossary - ODBC 




CNET | News | Hardware | Downloads | Builder | Games j Jobs | Auctions j Prices j Tech Help 


Free Email 


Glossary 


Search 

Advanced • Tips 



Go! 

All CNET b 



Who sees your resume more often i 


Visit the Career Center 


powered by tooksmart 


Goi 


CHcKJH.erel 


CNET 


CNET glossary 


ODBC 

Open Database 
Connectivity 

This set of application 
programming interfaces, 
created by Microsoft, 
defines how to move 
information in and out of 
any PC database that 
supports the standard. 

See also: API 


Who sees your resume more often: 


Visit the Career Center 


powered by looksmart 


Click Here! 




-jCNET Services: Auctions • Check Latest Prices • Data Services * Downloads • Enterprise Business • 
Find a Web Host • Find an ISP ■ Free Newsletters ■ Gadgets • Games * Hardware • Hel p & How-Tos * 
Latest PCs • Media Productions • News • Publish Your Opinion * Search • Stock Quotes • Tech Jobs • 
- "Web Building • All Services 


CNET Jobs i Corrections j How to Advertise | Join CNET’s Affiliate Program | Support 
Back to Top 


About CNET 

Joi n CN ET, we’ re h iri ng 


Copyright ©1 995-2000 CNET Networks, Inc. All rights reserved. Privacy policy . 


http://coverage.cnet.com/Resources/Info/Glossary/Terms/odbc.html 


11/20/00 





FD-801 (Rev. 7-15-97) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 


To: Counterterrorism 


From: SAC, Seattle 

Squad 11 
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Drafted By: Igt 

Case ID #: X ^88A-SE~85166 

Title: Subject: HACKWEISER; 

Victim: SNONET; 

Type: Intrusion - Web Page Defacement 
Date: 09/24/2000 

SUBMISSION: □ Initial □ Supplemental ® Closed 

CASE OPENED : 11/17/2000 

CASE CLOSED: 08/08/2001 

□ No action due to state/local prosecution (Name/Number 

E USA declination 

□ Referred to Another Federal Agency (Name/Number: ) 

□ Placed in unaddressed work 

□ Closed administratively 

□ Conviction 



COORDINATION: FBI Field Office Settle 

Government Agency N/A 
Private Corporation SNONET contact) 

VICTIM 
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To: Counterterrorism From: 

Re: 288A-SE-NEW, 05/31/2001 


SAC, Seattle 
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REMARKS 


On 09/25/2000, 


contacted the complain t desk of the 


advised 


Seattle Division of the Federal Bureau of Investigation, 
that his business' web site had been hacked, and that hacker (s) Had replaced 
web pages with inappropriate material (e.g. vulgar c omments) . On 
11/17/2000, Intelligence Operatio ns Specialist (IQS) I \ 

telephonically contacted ! | For a full accounting of) 

statement, please see the 801 in this case dated 11/17/2000 
predicated on a violation of 18 U.S.C. 1030, was opened, 
assigned to writer on 12/01/2000. 


b6 

b7C 


case, 


The case was 


b7D 

b7E 


On 08/08/2001 du ring a meeting with the United States Attorney's Office, 

AUSA l [ declined prosecution of the above caption case. As a t>6 

result, the Seattle Division of the FBI is closing its file. b7c 
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